refactor(ci): organize workflow scripts and gate publish on main

.github/workflows/mark-stable.yml

@@ -26,14 +26,14 @@ jobs:
 
       - name: Check whether tagged commit is on main
         id: branch-check
-        run: bash scripts/github/check-tagged-commit-on-main.sh
+        run: bash scripts/github/common/check-tagged-commit-on-main.sh
 
       - name: Wait for CI success on main for this commit
         if: steps.branch-check.outputs.is_on_main == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
-        run: bash scripts/github/wait-for-main-ci-success.sh
+        run: bash scripts/github/mark-stable/wait-for-main-ci-success.sh
 
       - name: Move 'stable' tag only if this version is the highest
         if: steps.branch-check.outputs.is_on_main == 'true'
-        run: bash scripts/github/mark-stable-if-highest-version.sh
+        run: bash scripts/github/mark-stable/mark-stable-if-highest-version.sh

.github/workflows/publish-containers.yml

@@ -21,34 +21,20 @@ jobs:
           fetch-depth: 0
 
       - name: Checkout workflow_run commit and refresh tags
-        run: |
+        env:
-          set -euo pipefail
+          WORKFLOW_RUN_SHA: ${{ github.event.workflow_run.head_sha }}
-          git checkout -f "${{ github.event.workflow_run.head_sha }}"
+        run: bash scripts/github/publish-containers/checkout-workflow-run-commit.sh
-          git fetch --tags --force
+
-          git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20
+      - name: Check whether tagged commit is on main
+        id: branch-check
+        env:
+          TARGET_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: bash scripts/github/common/check-tagged-commit-on-main.sh
 
       - name: Compute version and stable flag
         id: info
-        run: |
+        if: steps.branch-check.outputs.is_on_main == 'true'
-          set -euo pipefail
+        run: bash scripts/github/publish-containers/compute-publish-container-info.sh
-          SHA="$(git rev-parse HEAD)"
-
-          V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
-          if [[ -z "${V_TAG}" ]]; then
-            echo "No version tag found for ${SHA}. Skipping publish."
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          VERSION="${V_TAG#v}"
-
-          STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
-          IS_STABLE=false
-          [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
-
-          echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"
 
       - name: Set up Docker Buildx
         if: ${{ steps.info.outputs.should_publish == 'true' }}
@@ -66,9 +52,8 @@ jobs:
 
       - name: Publish all images
         if: ${{ steps.info.outputs.should_publish == 'true' }}
-        run: |
+        env:
-          set -euo pipefail
+          OWNER: ${{ github.repository_owner }}
-          OWNER="${{ github.repository_owner }}" \
+          VERSION: ${{ steps.info.outputs.version }}
-          VERSION="${{ steps.info.outputs.version }}" \
+          IS_STABLE: ${{ steps.info.outputs.is_stable }}
-          IS_STABLE="${{ steps.info.outputs.is_stable }}" \
+        run: bash scripts/github/publish-containers/publish-container-images.sh
-          bash scripts/build/publish.sh

scripts/github/check-tagged-commit-on-main.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-git fetch --no-tags origin main
-
-if git merge-base --is-ancestor "${GITHUB_SHA}" "origin/main"; then
-  echo "is_on_main=true" >> "$GITHUB_OUTPUT"
-  echo "Tagged commit ${GITHUB_SHA} is contained in origin/main."
-else
-  echo "is_on_main=false" >> "$GITHUB_OUTPUT"
-  echo "Tagged commit ${GITHUB_SHA} is not contained in origin/main. Skipping stable update."
-fi

scripts/github/common/check-tagged-commit-on-main.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TARGET_SHA="${TARGET_SHA:-${GITHUB_SHA:?GITHUB_SHA must be set}}"
+
+git fetch --no-tags origin main
+
+if git merge-base --is-ancestor "${TARGET_SHA}" "origin/main"; then
+  echo "is_on_main=true" >> "$GITHUB_OUTPUT"
+  echo "Target commit ${TARGET_SHA} is contained in origin/main."
+else
+  echo "is_on_main=false" >> "$GITHUB_OUTPUT"
+  echo "Target commit ${TARGET_SHA} is not contained in origin/main. Skipping main-only action."
+fi

scripts/github/publish-containers/checkout-workflow-run-commit.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+WORKFLOW_RUN_SHA="${WORKFLOW_RUN_SHA:?WORKFLOW_RUN_SHA must be set}"
+
+git checkout -f "${WORKFLOW_RUN_SHA}"
+git fetch --tags --force
+git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20

scripts/github/publish-containers/compute-publish-container-info.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SHA="$(git rev-parse HEAD)"
+
+V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
+if [[ -z "${V_TAG}" ]]; then
+  echo "No version tag found for ${SHA}. Skipping publish."
+  echo "should_publish=false" >> "$GITHUB_OUTPUT"
+  exit 0
+fi
+
+VERSION="${V_TAG#v}"
+
+STABLE_SHA="$(git rev-parse -q --verify 'refs/tags/stable^{commit}' 2>/dev/null || true)"
+IS_STABLE=false
+[[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
+
+{
+  echo "should_publish=true"
+  echo "version=${VERSION}"
+  echo "is_stable=${IS_STABLE}"
+} >> "$GITHUB_OUTPUT"

scripts/github/publish-containers/publish-container-images.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${OWNER:?OWNER must be set}"
+: "${VERSION:?VERSION must be set}"
+: "${IS_STABLE:?IS_STABLE must be set}"
+
+bash scripts/build/publish.sh